Fix oc policy remove-user to remove rolebindings too

simo5 · luksa · commit 67f7fef74652 · 2018-02-14T14:38:52.000+01:00
Followup to openshift#18102 Signed-off-by: Simo Sorce <simo@redhat.com>
diff --git a/pkg/oc/admin/policy/modify_roles.go b/pkg/oc/admin/policy/modify_roles.go
@@ -513,6 +513,12 @@ func (o *RoleModificationOptions) RemoveRole() error {
 		if err != nil {
 			return err
 		}
+		// Check that we update the rolebinding for the intended role.
+		if existingRoleBinding.RoleRef.Name != o.RoleName || existingRoleBinding.RoleRef.Namespace != o.RoleNamespace {
+			return fmt.Errorf("rolebinding %s contains role %s in namespace %s, instead of role %s in namespace %s",
+				o.RoleBindingName, existingRoleBinding.RoleRef.Name, existingRoleBinding.RoleRef.Namespace, o.RoleName, o.RoleNamespace)
+		}
+
 		roleBindings = make([]*authorizationapi.RoleBinding, 1)
 		roleBindings[0] = existingRoleBinding
 	} else {
diff --git a/pkg/oc/admin/policy/remove_from_project.go b/pkg/oc/admin/policy/remove_from_project.go
@@ -176,7 +176,11 @@ func (o *RemoveFromProjectOptions) Run() error {
 		}
 
 		if !o.DryRun {
-			_, err = o.Client.RoleBindings(o.BindingNamespace).Update(&currBinding)
+			if len(currBinding.Subjects) > 0 {
+				_, err = o.Client.RoleBindings(o.BindingNamespace).Update(&currBinding)
+			} else {
+				err = o.Client.RoleBindings(o.BindingNamespace).Delete(currBinding.Name, &metav1.DeleteOptions{})
+			}
 			if err != nil {
 				return err
 			}
diff --git a/test/integration/policy_commands_test.go b/test/integration/policy_commands_test.go
@@ -4,6 +4,7 @@ import (
 	"io/ioutil"
 	"testing"
 
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
@@ -89,8 +90,10 @@ func TestPolicyCommands(t *testing.T) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 
+	// Check that the removal of the last subject caused the rolebinding to be
+	// removed as well
 	viewers, err = haroldAuthorizationClient.RoleBindings(projectName).Get("view", metav1.GetOptions{})
-	if err != nil {
+	if !errors.IsNotFound(err) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	binding = authorizationinterfaces.NewLocalRoleBindingAdapter(viewers)

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,11 @@ func (o *RemoveFromProjectOptions) Run() error {`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`if !o.DryRun {`
`179`		`- _, err = o.Client.RoleBindings(o.BindingNamespace).Update(&currBinding)`
	`179`	`+ if len(currBinding.Subjects) > 0 {`
	`180`	`+ _, err = o.Client.RoleBindings(o.BindingNamespace).Update(&currBinding)`
	`181`	`+ } else {`
	`182`	`+ err = o.Client.RoleBindings(o.BindingNamespace).Delete(currBinding.Name, &metav1.DeleteOptions{})`
	`183`	`+ }`
`180`	`184`	`if err != nil {`
`181`	`185`	`return err`
`182`	`186`	`}`